request.rb in Web Console prior to 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote malicious users to bypass the whitelisted_ips protection mechanism via a crafted request.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
rubyonrails web console |